The following issue was discussed with Mike West, Artur Janc, Jochen Eisinger, and Devdatta Akhawe. I have found a bug in GC, which could be used as a hint for adding some extra information into the spec (Chromium issue 780760). In conclusion, we should mark a canvas as tainted in case of different suborigins. I recommend that this should be explicitly mentioned in the spec.
Details of the bug
HTML canvas elements will be currently not marked as "tainted" in case of two different suborigins.
Version
Chrome Version: Version 61.0.3163.100 (Offizieller Build) (64-Bit)
Operating System: MacOS 10.12.6
"chrome://flags/": "Experimental Web Platform features Mac, Windows, Linux, Chrome OS, Android" is enabled
We can see that we have "yes(pixel)" access both in the same ("Suborigin: your") and cross ("Suborigin: your" vs "Suborigin: other") origin case. This only happens in case of our Suborigin testbed; we also have "javascript:" and the at USENIX published " Githubissues.
Githubissues is a development platform for aggregating issues.
The following issue was discussed with Mike West, Artur Janc, Jochen Eisinger, and Devdatta Akhawe. I have found a bug in GC, which could be used as a hint for adding some extra information into the spec (Chromium issue 780760). In conclusion, we should mark a canvas as tainted in case of different suborigins. I recommend that this should be explicitly mentioned in the spec.
Details of the bug
HTML canvas elements will be currently not marked as "tainted" in case of two different suborigins.
Version
Reproduction case
Original way to reproduce the bug: 1) Go to http://your-sop.com/index.php?exec=native 2) Click on the button "ED: MP4 and OGG" -> "EE:
We can see that we have "yes(pixel)" access both in the same ("Suborigin: your") and cross ("Suborigin: your" vs "Suborigin: other") origin case. This only happens in case of our Suborigin testbed; we also have "javascript:" and the at USENIX published " Githubissues.